Reading an NTFS disk in raw mode

10 posts in this topic

smstroble 0

I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw

below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it.

So if someone could point be in the direction of some helpful information that would be great.

Share this post

Link to post

Share on other sites

Generator 0

I had an idea, since i'm kinda bored, i thought it would be cool to create a program for recovering deleted files (yes i know there are many out there but most look very questionable). So anyway i figured i would read the NTFS data in RAW and pick out deleted folders in the mess of data.. Well i dumped a portion of my disk to a txt file in raw

below that is data and i can recognize some text and ini files from by drive and i know where they are located (in the file structure) and their file names but i cant find the file names in the data. I figure i need to find and read the master file table but i have no clue where it is at and or how to read it.

So if someone could point be in the direction of some helpful information that would be great.

Thanks.

I think what happens is the data cannot be displayed as plain text.

Share this post

Link to post

Share on other sites

smstroble 0

Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot.

Give me a minute writing a program to parse some of it into hex for you guys to look at.

Share this post

Link to post

Share on other sites

Generator 0

Any data can bee seen in plain text as far as i know, though it wont be of any use because it was not meant to be text. Though often some more information can be gotten from HEX because pretty much anything that is not standard ASCII is shown as a square or a blank spot.

Give me a minute writing a program to parse some of it into hex for you guys to look at.

What I meant was the data was not suppose to be shown as plain text, of course you can view anything with notepad but it won't show anything helpful.

Sidenote: I am not good at this but maybe you can look up some method in google and see how it works.

Share this post

Link to post

Share on other sites

smstroble 0

I have been looking around Google for a couple hours now, i starting to think that this may be way over my ability's. I'm having trouble finding anything on the NTFS file system other than in general how its setup nothing specific enough to work with, i think I'm going to have to look at the source of another undelete program but that hasn't been terribly easy to find either.

Share this post

Link to post

Share on other sites

Confuzzled 1

You are going to have to peek quite low down in the NTFS subroutines to get to where you want. For a bit of background, why not get one of the older versions of Norton utilities for DOS (over 10 years old) and read how the partitions table, boot file sector, FAT table and directory/folder structures are constructed for a FAT system and work your way up from there. As additional useful reading, you may find open source code for drivers that mount NTFS drives under Linux.

Somehow I strongly suspect AutoIT is not the appropriate language to be using to do this type of work. As you knowledge increases, you will come to understand why...

Is the start of your drive identifying the File format as NTFS and later giving text error messages that it may need to display .

The information in between is all machine code and you are right that it is best viewed in HEX.

Without going into to much detail (it gets boring after a bit) for doing data recovery you either need to search for a given file types Signature (ie Jpeg = YoYa, exe = MZ) and then extract that data to another file or, if your intention is to a corrupted drive then you read the Master File Table and work out where the Partition locations are and write that data back to the drive.

If you have a look on Data Recovery Books or Forensic Forums they are a great help.

Question: Have you worked out how to write the data back to the drive at the location it was copied from?